redline | d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890

Analysis

max time kernel
153s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe
Size

690KB
MD5

c739646777bfd5d1ae7da944ad269ac3
SHA1

d98aca4ac920187c5332a85100ced78017feed0c
SHA256

d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890
SHA512

f34e727e6126821eeb8c8d7ddbf65f0f7fa972718c24cbc2b6fd2e1134378c8ee5a438ef7c5650ca4db405a2dcee6cb20fde687719177b93fa41b10144a3acc7
SSDEEP

12288:Jy90NVXamCIhcVExQBlYGPDqbH7/mAbrLari36NaT3Hc8/oXHyy:Jy8VXcVEW74H7+Ab3ari360T3c85y

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2164-992-0x0000000007610000-0x0000000007C28000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	66824932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	66824932.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	66824932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	66824932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	66824932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	66824932.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4460	un924195.exe
4116	66824932.exe
2164	rk810407.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	66824932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	66824932.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un924195.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un924195.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3088	4116	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4116	66824932.exe
4116	66824932.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4116	66824932.exe
Token: SeDebugPrivilege	2164	rk810407.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 4460	2600	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe	81
PID 2600 wrote to memory of 4460	2600	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe	81
PID 2600 wrote to memory of 4460	2600	d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe	81
PID 4460 wrote to memory of 4116	4460	un924195.exe	82
PID 4460 wrote to memory of 4116	4460	un924195.exe	82
PID 4460 wrote to memory of 4116	4460	un924195.exe	82
PID 4460 wrote to memory of 2164	4460	un924195.exe	86
PID 4460 wrote to memory of 2164	4460	un924195.exe	86
PID 4460 wrote to memory of 2164	4460	un924195.exe	86

C:\Users\Admin\AppData\Local\Temp\d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe
"C:\Users\Admin\AppData\Local\Temp\d3b3437d6ea7a02c992585b5cf2b2c34fb7c4b93b81e4407ae7d7d3ee5def890.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924195.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924195.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1092
      4⤵
      Program crash
      PID:3088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4116 -ip 4116
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924195.exe

Filesize
536KB

MD5
2ad672d5abbebef235a4972809593839

SHA1
c655da2f1fd47c1a5b604536fbc59cd878f343f5

SHA256
12a282aa9dcca2ee23d956e73455e7a4f4608184286f108fadb2d63ebd2edd86

SHA512
0741dd229369b9b6120f04e58e3b11a54faea91857ccc1c43bf051b22297b8783ffd25f435e4272922c4c3c82ce800da5577c2fe1552ac46974588f8cacb0c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924195.exe

Filesize
536KB

MD5
2ad672d5abbebef235a4972809593839

SHA1
c655da2f1fd47c1a5b604536fbc59cd878f343f5

SHA256
12a282aa9dcca2ee23d956e73455e7a4f4608184286f108fadb2d63ebd2edd86

SHA512
0741dd229369b9b6120f04e58e3b11a54faea91857ccc1c43bf051b22297b8783ffd25f435e4272922c4c3c82ce800da5577c2fe1552ac46974588f8cacb0c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe

Filesize
259KB

MD5
a72b294115d9456f54c5cbc18387d1dd

SHA1
6b6c2578b326321591f4b629a43ba1178c5d1453

SHA256
514293c4815fab741a85209b5d1210deb252d05d9eded2c76021c4870730f773

SHA512
8b49e50a9877f411e0aaa2e41456a58cd1aec4bf60ab0cd973567d33612b4b6d3e650bdea69284a54a8fa556aa4b13a78e0aef91b96091f0c2d1a667bfc29dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66824932.exe

Filesize
259KB

MD5
a72b294115d9456f54c5cbc18387d1dd

SHA1
6b6c2578b326321591f4b629a43ba1178c5d1453

SHA256
514293c4815fab741a85209b5d1210deb252d05d9eded2c76021c4870730f773

SHA512
8b49e50a9877f411e0aaa2e41456a58cd1aec4bf60ab0cd973567d33612b4b6d3e650bdea69284a54a8fa556aa4b13a78e0aef91b96091f0c2d1a667bfc29dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe

Filesize
341KB

MD5
ff7d8e449dfe37d4a83b77708dbb714e

SHA1
3fdceec5f99e42ff0c5fec12ee497cbf215527dc

SHA256
9f8167c60e0d4899ef4d3ec9aa855d2181523c4546f3f7140461b8c798b5c5c8

SHA512
479d6244e99b00acb27826bfb6c6215d070fd899c66b36a51b875be0d00bfd44c07f75ec1fa883cf960bd21cd45715463ded8a564ee2dba22cafaec5b1510a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk810407.exe

Filesize
341KB

MD5
ff7d8e449dfe37d4a83b77708dbb714e

SHA1
3fdceec5f99e42ff0c5fec12ee497cbf215527dc

SHA256
9f8167c60e0d4899ef4d3ec9aa855d2181523c4546f3f7140461b8c798b5c5c8

SHA512
479d6244e99b00acb27826bfb6c6215d070fd899c66b36a51b875be0d00bfd44c07f75ec1fa883cf960bd21cd45715463ded8a564ee2dba22cafaec5b1510a19

Download Submit
memory/2164-223-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-219-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-996-0x0000000007D40000-0x0000000007D7C000-memory.dmp

Filesize
240KB

Download
memory/2164-995-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2164-994-0x0000000007C30000-0x0000000007D3A000-memory.dmp

Filesize
1.0MB

Download
memory/2164-993-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2164-992-0x0000000007610000-0x0000000007C28000-memory.dmp

Filesize
6.1MB

Download
memory/2164-227-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-999-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2164-225-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-201-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-221-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-218-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2164-998-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2164-213-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2164-216-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2164-215-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-211-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-212-0x0000000001FF0000-0x0000000002036000-memory.dmp

Filesize
280KB

Download
memory/2164-209-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-207-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-205-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-203-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-1000-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2164-1001-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2164-196-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-197-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/2164-199-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/4116-161-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-188-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4116-184-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/4116-183-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/4116-182-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/4116-181-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-179-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-177-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-175-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-173-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-171-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-169-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-167-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-165-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-163-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-159-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-157-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-155-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-154-0x0000000002450000-0x0000000002463000-memory.dmp

Filesize
76KB

Download
memory/4116-153-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4116-152-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/4116-151-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/4116-150-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/4116-149-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/4116-148-0x00000000004A0000-0x00000000004CD000-memory.dmp

Filesize
180KB

Download